From: Greg Kroah-Hartman Date: Tue, 9 May 2017 09:47:44 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.4.68~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cceffc35fee7233336f2a9600691fd3fe40853e3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: arm-8452-3-pj4-make-coprocessor-access-sequences-buildable-in-thumb2-mode.patch arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch usb-serial-ark3116-fix-open-error-handling.patch usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch usb-serial-io_edgeport-fix-descriptor-error-handling.patch usb-serial-io_edgeport-fix-epic-descriptor-handling.patch usb-serial-keyspan_pda-fix-receive-sanity-checks.patch usb-serial-mct_u232-fix-modem-status-error-handling.patch usb-serial-quatech2-fix-control-message-error-handling.patch usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch usb-serial-ssu100-fix-control-message-error-handling.patch usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch --- diff --git a/queue-3.18/arm-8452-3-pj4-make-coprocessor-access-sequences-buildable-in-thumb2-mode.patch b/queue-3.18/arm-8452-3-pj4-make-coprocessor-access-sequences-buildable-in-thumb2-mode.patch new file mode 100644 index 00000000000..bbabf9f584e --- /dev/null +++ b/queue-3.18/arm-8452-3-pj4-make-coprocessor-access-sequences-buildable-in-thumb2-mode.patch @@ -0,0 +1,57 @@ +From 5008efc83bf85b647aa1cbc44718b1675bbb7444 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 22 Dec 2015 08:24:59 +0100 +Subject: ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode + +From: Ard Biesheuvel + +commit 5008efc83bf85b647aa1cbc44718b1675bbb7444 upstream. + +The PJ4 inline asm sequence to write to cp15 cannot be built in Thumb-2 +mode, due to the way it performs arithmetic on the program counter, so it +is built in ARM mode instead. However, building C files in ARM mode under +CONFIG_THUMB2_KERNEL is problematic, since the instrumentation performed +by subsystems like ftrace does not expect having to deal with interworking +branches. + +Since the sequence in question is simply a poor man's ISB instruction, +let's use a straight 'isb' instead when building in Thumb2 mode. Thumb2 +implies V7, so 'isb' should always be supported in that case. + +Acked-by: Arnd Bergmann +Acked-by: Nicolas Pitre +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/Makefile | 1 - + arch/arm/kernel/pj4-cp0.c | 4 ++++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm/kernel/Makefile ++++ b/arch/arm/kernel/Makefile +@@ -84,7 +84,6 @@ obj-$(CONFIG_CPU_PJ4B) += pj4-cp0.o + obj-$(CONFIG_IWMMXT) += iwmmxt.o + obj-$(CONFIG_PERF_EVENTS) += perf_regs.o + obj-$(CONFIG_HW_PERF_EVENTS) += perf_event.o perf_event_cpu.o +-CFLAGS_pj4-cp0.o := -marm + AFLAGS_iwmmxt.o := -Wa,-mcpu=iwmmxt + obj-$(CONFIG_ARM_CPU_TOPOLOGY) += topology.o + +--- a/arch/arm/kernel/pj4-cp0.c ++++ b/arch/arm/kernel/pj4-cp0.c +@@ -66,9 +66,13 @@ static void __init pj4_cp_access_write(u + + __asm__ __volatile__ ( + "mcr p15, 0, %1, c1, c0, 2\n\t" ++#ifdef CONFIG_THUMB2_KERNEL ++ "isb\n\t" ++#else + "mrc p15, 0, %0, c1, c0, 2\n\t" + "mov %0, %0\n\t" + "sub pc, pc, #4\n\t" ++#endif + : "=r" (temp) : "r" (value)); + } + diff --git a/queue-3.18/arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch b/queue-3.18/arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch new file mode 100644 index 00000000000..1ad16324926 --- /dev/null +++ b/queue-3.18/arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch @@ -0,0 +1,40 @@ +From 448c077eeb02240c430db2a2c3bf5285a4c65d66 Mon Sep 17 00:00:00 2001 +From: Matthijs van Duin +Date: Thu, 16 Feb 2017 01:05:04 +0100 +Subject: ARM: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build + +From: Matthijs van Duin + +commit 448c077eeb02240c430db2a2c3bf5285a4c65d66 upstream. + +'adr' yields a data-pointer, not a function-pointer. + +Fixes: 999f934de195 ("ARM: omap5/dra7xx: Enable booting secondary +CPU in HYP mode") +Signed-off-by: Matthijs van Duin +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap-headsmp.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/omap-headsmp.S ++++ b/arch/arm/mach-omap2/omap-headsmp.S +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + #include "omap44xx.h" + +@@ -56,7 +57,7 @@ wait_2: ldr r2, =AUX_CORE_BOOT0_PA @ rea + cmp r0, r4 + bne wait_2 + ldr r12, =API_HYP_ENTRY +- adr r0, hyp_boot ++ badr r0, hyp_boot + smc #0 + hyp_boot: + b secondary_startup diff --git a/queue-3.18/cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch b/queue-3.18/cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch new file mode 100644 index 00000000000..d3e031b4317 --- /dev/null +++ b/queue-3.18/cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch @@ -0,0 +1,35 @@ +From 4cca0457686e4ee1677d69469e4ddfd94d389a80 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 11 Apr 2017 00:29:44 +0100 +Subject: cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores + +From: Ben Hutchings + +commit 4cca0457686e4ee1677d69469e4ddfd94d389a80 upstream. + +The switch that conditionally sets CPUPOWER_CAP_HAS_TURBO_RATIO and +CPUPOWER_CAP_IS_SNB flags is missing a break, so all cores get both +flags set and an assumed base clock of 100 MHz for turbo values. + +Reported-by: GSR +Tested-by: GSR +References: https://bugs.debian.org/859978 +Fixes: 8fb2e440b223 (cpupower: Show Intel turbo ratio support via ...) +Signed-off-by: Ben Hutchings +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + tools/power/cpupower/utils/helpers/cpuid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/power/cpupower/utils/helpers/cpuid.c ++++ b/tools/power/cpupower/utils/helpers/cpuid.c +@@ -156,6 +156,7 @@ out: + */ + case 0x2C: /* Westmere EP - Gulftown */ + cpu_info->caps |= CPUPOWER_CAP_HAS_TURBO_RATIO; ++ break; + case 0x2A: /* SNB */ + case 0x2D: /* SNB Xeon */ + case 0x3A: /* IVB */ diff --git a/queue-3.18/kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch b/queue-3.18/kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch new file mode 100644 index 00000000000..aa0c2fc74b4 --- /dev/null +++ b/queue-3.18/kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch @@ -0,0 +1,87 @@ +From 75013fb16f8484898eaa8d0b08fed942d790f029 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Wed, 1 Mar 2017 01:23:24 +0900 +Subject: kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed + +From: Masami Hiramatsu + +commit 75013fb16f8484898eaa8d0b08fed942d790f029 upstream. + +Fix to the exception table entry check by using probed address +instead of the address of copied instruction. + +This bug may cause unexpected kernel panic if user probe an address +where an exception can happen which should be fixup by __ex_table +(e.g. copy_from_user.) + +Unless user puts a kprobe on such address, this doesn't +cause any problem. + +This bug has been introduced years ago, by commit: + + 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently"). + +Signed-off-by: Masami Hiramatsu +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently") +Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kprobes/common.h | 2 +- + arch/x86/kernel/kprobes/core.c | 6 +++--- + arch/x86/kernel/kprobes/opt.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/kprobes/common.h ++++ b/arch/x86/kernel/kprobes/common.h +@@ -67,7 +67,7 @@ + #endif + + /* Ensure if the instruction can be boostable */ +-extern int can_boost(kprobe_opcode_t *instruction); ++extern int can_boost(kprobe_opcode_t *instruction, void *addr); + /* Recover instruction if given address is probed */ + extern unsigned long recover_probed_instruction(kprobe_opcode_t *buf, + unsigned long addr); +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -163,12 +163,12 @@ NOKPROBE_SYMBOL(skip_prefixes); + * Returns non-zero if opcode is boostable. + * RIP relative instructions are adjusted at copying time in 64 bits mode + */ +-int can_boost(kprobe_opcode_t *opcodes) ++int can_boost(kprobe_opcode_t *opcodes, void *addr) + { + kprobe_opcode_t opcode; + kprobe_opcode_t *orig_opcodes = opcodes; + +- if (search_exception_tables((unsigned long)opcodes)) ++ if (search_exception_tables((unsigned long)addr)) + return 0; /* Page fault may occur on this address. */ + + retry: +@@ -385,7 +385,7 @@ static int arch_copy_kprobe(struct kprob + * __copy_instruction can modify the displacement of the instruction, + * but it doesn't affect boostable check. + */ +- if (can_boost(p->ainsn.insn)) ++ if (can_boost(p->ainsn.insn, p->addr)) + p->ainsn.boostable = 0; + else + p->ainsn.boostable = -1; +--- a/arch/x86/kernel/kprobes/opt.c ++++ b/arch/x86/kernel/kprobes/opt.c +@@ -177,7 +177,7 @@ static int copy_optimized_instructions(u + + while (len < RELATIVEJUMP_SIZE) { + ret = __copy_instruction(dest + len, src + len); +- if (!ret || !can_boost(dest + len)) ++ if (!ret || !can_boost(dest + len, src + len)) + return -EINVAL; + len += ret; + } diff --git a/queue-3.18/mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch b/queue-3.18/mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch new file mode 100644 index 00000000000..67b93c9c85f --- /dev/null +++ b/queue-3.18/mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch @@ -0,0 +1,38 @@ +From a5b60de6972decc6b50a39abb376077c3c3621c8 Mon Sep 17 00:00:00 2001 +From: Ganapathi Bhat +Date: Fri, 3 Feb 2017 18:30:22 +0530 +Subject: mwifiex: Avoid skipping WEP key deletion for AP + +From: Ganapathi Bhat + +commit a5b60de6972decc6b50a39abb376077c3c3621c8 upstream. + +This patch fixes the issue specific to AP. AP is started with WEP +security and external station is connected to it. Data path works +in this case. Now if AP is restarted with WPA/WPA2 security, +station is able to connect but ping fails. + +Driver skips the deletion of WEP keys if interface type is AP. +Removing that redundant check resolves the issue. + +Fixes: e57f1734d87a ("mwifiex: add key material v2 support") +Signed-off-by: Ganapathi Bhat +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/sta_ioctl.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/mwifiex/sta_ioctl.c +@@ -1074,8 +1074,6 @@ int mwifiex_set_encode(struct mwifiex_pr + encrypt_key.is_rx_seq_valid = true; + } + } else { +- if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP) +- return 0; + encrypt_key.key_disable = true; + if (mac_addr) + memcpy(encrypt_key.mac_addr, mac_addr, ETH_ALEN); diff --git a/queue-3.18/mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch b/queue-3.18/mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch new file mode 100644 index 00000000000..df9e7fb24c6 --- /dev/null +++ b/queue-3.18/mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch @@ -0,0 +1,51 @@ +From 6183468a23fc6b6903f8597982017ad2c7fdefcf Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Jan 2017 15:33:50 -0800 +Subject: mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print + +From: Brian Norris + +commit 6183468a23fc6b6903f8597982017ad2c7fdefcf upstream. + +Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte +SSIDs"), we failed to account for the existence of 32-char SSIDs in our +debugfs code. Unlike in that case though, we zeroed out the containing +struct first, and I'm pretty sure we're guaranteed to have some padding +after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes +long). + +So, this is the difference between: + + # cat /sys/kernel/debug/mwifiex/mlan0/info + ... + essid="0123456789abcdef0123456789abcdef " + ... + +and the correct output: + + # cat /sys/kernel/debug/mwifiex/mlan0/info + ... + essid="0123456789abcdef0123456789abcdef" + ... + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/debugfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mwifiex/debugfs.c ++++ b/drivers/net/wireless/mwifiex/debugfs.c +@@ -220,7 +220,8 @@ mwifiex_info_read(struct file *file, cha + if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) { + p += sprintf(p, "multicast_count=\"%d\"\n", + netdev_mc_count(netdev)); +- p += sprintf(p, "essid=\"%s\"\n", info.ssid.ssid); ++ p += sprintf(p, "essid=\"%.*s\"\n", info.ssid.ssid_len, ++ info.ssid.ssid); + p += sprintf(p, "bssid=\"%pM\"\n", info.bssid); + p += sprintf(p, "channel=\"%d\"\n", (int) info.bss_chan); + p += sprintf(p, "country_code = \"%s\"\n", info.country_code); diff --git a/queue-3.18/power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch b/queue-3.18/power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch new file mode 100644 index 00000000000..617be1760ca --- /dev/null +++ b/queue-3.18/power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch @@ -0,0 +1,34 @@ +From e05ad7e0741ce0505e1df157c62b22b95172bb97 Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:49 -0800 +Subject: power: supply: bq24190_charger: Call set_mode_host() on pm_resume() + +From: Liam Breck + +commit e05ad7e0741ce0505e1df157c62b22b95172bb97 upstream. + +pm_resume() does a register_reset() which clears charger host mode. + +Fix by calling set_mode_host() after the reset. + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/bq24190_charger.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/bq24190_charger.c ++++ b/drivers/power/bq24190_charger.c +@@ -1496,6 +1496,7 @@ static int bq24190_pm_resume(struct devi + + pm_runtime_get_sync(bdi->dev); + bq24190_register_reset(bdi); ++ bq24190_set_mode_host(bdi); + pm_runtime_put_sync(bdi->dev); + + /* Things may have changed while suspended so alert upper layer */ diff --git a/queue-3.18/power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch b/queue-3.18/power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch new file mode 100644 index 00000000000..071c815a09c --- /dev/null +++ b/queue-3.18/power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch @@ -0,0 +1,39 @@ +From 767eee362fd72bb2ca44cc80419ca4b38c6d8369 Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:48 -0800 +Subject: power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING + +From: Liam Breck + +commit 767eee362fd72bb2ca44cc80419ca4b38c6d8369 upstream. + +The interrupt signal is TRIGGER_FALLING. This is is specified in the +data sheet PIN FUNCTIONS: "The INT pin sends active low, 256us +pulse to host to report charger device status and fault." + +Also the direction can be seen in the data sheet Figure 37 "BQ24190 +with D+/D- Detection and USB On-The-Go (OTG)" which shows a 10k +pull-up resistor installed for the sample configurations. + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/bq24190_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/bq24190_charger.c ++++ b/drivers/power/bq24190_charger.c +@@ -1400,7 +1400,7 @@ static int bq24190_probe(struct i2c_clie + + ret = devm_request_threaded_irq(dev, bdi->irq, NULL, + bq24190_irq_handler_thread, +- IRQF_TRIGGER_RISING | IRQF_ONESHOT, ++ IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "bq24190-charger", bdi); + if (ret < 0) { + dev_err(dev, "Can't set up irq handler\n"); diff --git a/queue-3.18/powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch b/queue-3.18/powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch new file mode 100644 index 00000000000..5b729c86551 --- /dev/null +++ b/queue-3.18/powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch @@ -0,0 +1,45 @@ +From a7e0fb6c2029a780444d09560f739e020d54fe4d Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 7 Feb 2017 21:01:01 +1100 +Subject: powerpc/powernv: Fix opal_exit tracepoint opcode + +From: Michael Ellerman + +commit a7e0fb6c2029a780444d09560f739e020d54fe4d upstream. + +Currently the opal_exit tracepoint usually shows the opcode as 0: + + -0 [047] d.h. 635.654292: opal_entry: opcode=63 + -0 [047] d.h. 635.654296: opal_exit: opcode=0 retval=0 + kopald-1209 [019] d... 636.420943: opal_entry: opcode=10 + kopald-1209 [019] d... 636.420959: opal_exit: opcode=0 retval=0 + +This is because we incorrectly load the opcode into r0 before calling +__trace_opal_exit(), whereas it expects the opcode in r3 (first function +parameter). In fact we are leaving the retval in r3, so opcode and +retval will always show the same value. + +Instead load the opcode into r3, resulting in: + + -0 [040] d.h. 636.618625: opal_entry: opcode=63 + -0 [040] d.h. 636.618627: opal_exit: opcode=63 retval=0 + +Fixes: c49f63530bb6 ("powernv: Add OPAL tracepoints") +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-wrappers.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/opal-wrappers.S ++++ b/arch/powerpc/platforms/powernv/opal-wrappers.S +@@ -148,7 +148,7 @@ opal_tracepoint_entry: + opal_tracepoint_return: + std r3,STK_REG(R31)(r1) + mr r4,r3 +- ld r0,STK_REG(R23)(r1) ++ ld r3,STK_REG(R23)(r1) + bl __trace_opal_exit + ld r3,STK_REG(R31)(r1) + addi r1,r1,STACKFRAMESIZE diff --git a/queue-3.18/revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch b/queue-3.18/revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch new file mode 100644 index 00000000000..ebe84b43c0a --- /dev/null +++ b/queue-3.18/revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch @@ -0,0 +1,55 @@ +From 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 Mon Sep 17 00:00:00 2001 +From: Jim Mattson +Date: Tue, 20 Dec 2016 16:34:50 -0800 +Subject: Revert "KVM: nested VMX: disable perf cpuid reporting" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jim Mattson + +commit 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 upstream. + +This reverts commit bc6134942dbbf31c25e9bd7c876be5da81c9e1ce. + +A CPUID instruction executed in VMX non-root mode always causes a +VM-exit, regardless of the leaf being queried. + +Fixes: bc6134942dbb ("KVM: nested VMX: disable perf cpuid reporting") +Signed-off-by: Jim Mattson +[The issue solved by bc6134942dbb has been resolved with ff651cb613b4 + ("KVM: nVMX: Add nested msr load/restore algorithm").] +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/cpuid.c | 6 ------ + arch/x86/kvm/vmx.c | 2 -- + 2 files changed, 8 deletions(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -787,12 +787,6 @@ void kvm_cpuid(struct kvm_vcpu *vcpu, u3 + if (!best) + best = check_cpuid_limit(vcpu, function, index); + +- /* +- * Perfmon not yet supported for L2 guest. +- */ +- if (is_guest_mode(vcpu) && function == 0xa) +- best = NULL; +- + if (best) { + *eax = best->eax; + *ebx = best->ebx; +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7047,8 +7047,6 @@ static bool nested_vmx_exit_handled(stru + case EXIT_REASON_TASK_SWITCH: + return 1; + case EXIT_REASON_CPUID: +- if (kvm_register_read(vcpu, VCPU_REGS_RAX) == 0xa) +- return 0; + return 1; + case EXIT_REASON_HLT: + return nested_cpu_has(vmcs12, CPU_BASED_HLT_EXITING); diff --git a/queue-3.18/scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch b/queue-3.18/scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch new file mode 100644 index 00000000000..c4ebf4d6d40 --- /dev/null +++ b/queue-3.18/scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch @@ -0,0 +1,32 @@ +From 4d7d39a18b8b81511f0b893b7d2203790bf8a58b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 21 Feb 2017 21:46:37 +0300 +Subject: scsi: scsi_dh_emc: return success in clariion_std_inquiry() + +From: Dan Carpenter + +commit 4d7d39a18b8b81511f0b893b7d2203790bf8a58b upstream. + +We accidentally return an uninitialized variable on success. + +Fixes: b6ff1b14cdf4 ("[SCSI] scsi_dh: Update EMC handler") +Signed-off-by: Dan Carpenter +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/device_handler/scsi_dh_emc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/device_handler/scsi_dh_emc.c ++++ b/drivers/scsi/device_handler/scsi_dh_emc.c +@@ -464,7 +464,7 @@ static int clariion_prep_fn(struct scsi_ + static int clariion_std_inquiry(struct scsi_device *sdev, + struct clariion_dh_data *csdev) + { +- int err; ++ int err = SCSI_DH_OK; + char *sp_model; + + err = send_inquiry_cmd(sdev, 0, csdev); diff --git a/queue-3.18/series b/queue-3.18/series index dcebcaf7dd5..348dfe4608f 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1,3 +1,29 @@ 9p-fix-a-potential-acl-leak.patch tty-remove-platform_sysrq_reset_seq.patch mtd-cfi-reduce-stack-size.patch +arm-8452-3-pj4-make-coprocessor-access-sequences-buildable-in-thumb2-mode.patch +cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch +powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch +power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch +power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch +arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch +mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch +mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch +x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch +kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch +x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch +revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch +usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch +usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch +usb-serial-keyspan_pda-fix-receive-sanity-checks.patch +usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch +usb-serial-ssu100-fix-control-message-error-handling.patch +usb-serial-io_edgeport-fix-epic-descriptor-handling.patch +usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch +usb-serial-ark3116-fix-open-error-handling.patch +usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch +usb-serial-quatech2-fix-control-message-error-handling.patch +usb-serial-mct_u232-fix-modem-status-error-handling.patch +usb-serial-io_edgeport-fix-descriptor-error-handling.patch +usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch +scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch diff --git a/queue-3.18/usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch b/queue-3.18/usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch new file mode 100644 index 00000000000..7026746e5b0 --- /dev/null +++ b/queue-3.18/usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch @@ -0,0 +1,38 @@ +From 3f6026b1dcb3c8ee71198c485a72ac674c6890dd Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 7 Jan 2017 10:41:40 +0200 +Subject: usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths + +From: Krzysztof Kozlowski + +commit 3f6026b1dcb3c8ee71198c485a72ac674c6890dd upstream. + +Returning from for_each_available_child_of_node() loop requires cleaning +up node refcount. Error paths lacked it so for example in case of +deferred probe, the refcount of phy node was left increased. + +Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Alan Stern +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-exynos.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/ehci-exynos.c ++++ b/drivers/usb/host/ehci-exynos.c +@@ -78,10 +78,12 @@ static int exynos_ehci_get_phy(struct de + if (IS_ERR(phy)) { + ret = PTR_ERR(phy); + if (ret == -EPROBE_DEFER) { ++ of_node_put(child); + return ret; + } else if (ret != -ENOSYS && ret != -ENODEV) { + dev_err(dev, + "Error retrieving usb2 phy: %d\n", ret); ++ of_node_put(child); + return ret; + } + } diff --git a/queue-3.18/usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch b/queue-3.18/usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch new file mode 100644 index 00000000000..88a4b947a03 --- /dev/null +++ b/queue-3.18/usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch @@ -0,0 +1,38 @@ +From 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 7 Jan 2017 10:41:41 +0200 +Subject: usb: host: ohci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths + +From: Krzysztof Kozlowski + +commit 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 upstream. + +Returning from for_each_available_child_of_node() loop requires cleaning +up node refcount. Error paths lacked it so for example in case of +deferred probe, the refcount of phy node was left increased. + +Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Alan Stern +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-exynos.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/ohci-exynos.c ++++ b/drivers/usb/host/ohci-exynos.c +@@ -67,10 +67,12 @@ static int exynos_ohci_get_phy(struct de + if (IS_ERR(phy)) { + ret = PTR_ERR(phy); + if (ret == -EPROBE_DEFER) { ++ of_node_put(child); + return ret; + } else if (ret != -ENOSYS && ret != -ENODEV) { + dev_err(dev, + "Error retrieving usb2 phy: %d\n", ret); ++ of_node_put(child); + return ret; + } + } diff --git a/queue-3.18/usb-serial-ark3116-fix-open-error-handling.patch b/queue-3.18/usb-serial-ark3116-fix-open-error-handling.patch new file mode 100644 index 00000000000..7480d6668ab --- /dev/null +++ b/queue-3.18/usb-serial-ark3116-fix-open-error-handling.patch @@ -0,0 +1,81 @@ +From b631433b175f1002a31020e09bbfc2e5caecf290 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:10 +0100 +Subject: USB: serial: ark3116: fix open error handling + +From: Johan Hovold + +commit b631433b175f1002a31020e09bbfc2e5caecf290 upstream. + +Fix open error handling which failed to detect errors when reading the +MSR and LSR registers, something which could lead to the shadow +registers being initialised from errnos. + +Note that calling the generic close implementation is sufficient in the +error paths as the interrupt urb has not yet been submitted and the +register updates have not been made. + +Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware +and add close and release functions.") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ark3116.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/usb/serial/ark3116.c ++++ b/drivers/usb/serial/ark3116.c +@@ -366,23 +366,29 @@ static int ark3116_open(struct tty_struc + dev_dbg(&port->dev, + "%s - usb_serial_generic_open failed: %d\n", + __func__, result); +- goto err_out; ++ goto err_free; + } + + /* remove any data still left: also clears error state */ + ark3116_read_reg(serial, UART_RX, buf); + + /* read modem status */ +- priv->msr = ark3116_read_reg(serial, UART_MSR, buf); ++ result = ark3116_read_reg(serial, UART_MSR, buf); ++ if (result < 0) ++ goto err_close; ++ priv->msr = *buf; ++ + /* read line status */ +- priv->lsr = ark3116_read_reg(serial, UART_LSR, buf); ++ result = ark3116_read_reg(serial, UART_LSR, buf); ++ if (result < 0) ++ goto err_close; ++ priv->lsr = *buf; + + result = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL); + if (result) { + dev_err(&port->dev, "submit irq_in urb failed %d\n", + result); +- ark3116_close(port); +- goto err_out; ++ goto err_close; + } + + /* activate interrupts */ +@@ -395,8 +401,15 @@ static int ark3116_open(struct tty_struc + if (tty) + ark3116_set_termios(tty, port, NULL); + +-err_out: + kfree(buf); ++ ++ return 0; ++ ++err_close: ++ usb_serial_generic_close(port); ++err_free: ++ kfree(buf); ++ + return result; + } + diff --git a/queue-3.18/usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch b/queue-3.18/usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch new file mode 100644 index 00000000000..91c641abde0 --- /dev/null +++ b/queue-3.18/usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch @@ -0,0 +1,81 @@ +From 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 31 Jan 2017 17:17:28 +0100 +Subject: USB: serial: digi_acceleport: fix incomplete rx sanity check + +From: Johan Hovold + +commit 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 upstream. + +Make sure the received data has the required headers before parsing it. + +Also drop the redundant urb-status check, which has already been handled +by the caller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/digi_acceleport.c | 38 +++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1399,25 +1399,30 @@ static int digi_read_inb_callback(struct + { + struct usb_serial_port *port = urb->context; + struct digi_port *priv = usb_get_serial_port_data(port); +- int opcode = ((unsigned char *)urb->transfer_buffer)[0]; +- int len = ((unsigned char *)urb->transfer_buffer)[1]; +- int port_status = ((unsigned char *)urb->transfer_buffer)[2]; +- unsigned char *data = ((unsigned char *)urb->transfer_buffer) + 3; ++ unsigned char *buf = urb->transfer_buffer; ++ int opcode; ++ int len; ++ int port_status; ++ unsigned char *data; + int flag, throttled; +- int status = urb->status; +- +- /* do not process callbacks on closed ports */ +- /* but do continue the read chain */ +- if (urb->status == -ENOENT) +- return 0; + + /* short/multiple packet check */ ++ if (urb->actual_length < 2) { ++ dev_warn(&port->dev, "short packet received\n"); ++ return -1; ++ } ++ ++ opcode = buf[0]; ++ len = buf[1]; ++ + if (urb->actual_length != len + 2) { +- dev_err(&port->dev, "%s: INCOMPLETE OR MULTIPLE PACKET, " +- "status=%d, port=%d, opcode=%d, len=%d, " +- "actual_length=%d, status=%d\n", __func__, status, +- priv->dp_port_num, opcode, len, urb->actual_length, +- port_status); ++ dev_err(&port->dev, "malformed packet received: port=%d, opcode=%d, len=%d, actual_length=%u\n", ++ priv->dp_port_num, opcode, len, urb->actual_length); ++ return -1; ++ } ++ ++ if (opcode == DIGI_CMD_RECEIVE_DATA && len < 1) { ++ dev_err(&port->dev, "malformed data packet received\n"); + return -1; + } + +@@ -1431,6 +1436,9 @@ static int digi_read_inb_callback(struct + + /* receive data */ + if (opcode == DIGI_CMD_RECEIVE_DATA) { ++ port_status = buf[2]; ++ data = &buf[3]; ++ + /* get flag from port_status */ + flag = 0; + diff --git a/queue-3.18/usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch b/queue-3.18/usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch new file mode 100644 index 00000000000..bed2baf23dc --- /dev/null +++ b/queue-3.18/usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch @@ -0,0 +1,42 @@ +From e3e574ad85a208cb179f33720bb5f12b453de33c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:12 +0100 +Subject: USB: serial: ftdi_sio: fix latency-timer error handling + +From: Johan Hovold + +commit e3e574ad85a208cb179f33720bb5f12b453de33c upstream. + +Make sure to detect short responses when reading the latency timer to +avoid using stale buffer data. + +Note that no heap data would currently leak through sysfs as +ASYNC_LOW_LATENCY is set by default. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1437,10 +1437,13 @@ static int read_latency_timer(struct usb + FTDI_SIO_GET_LATENCY_TIMER_REQUEST_TYPE, + 0, priv->interface, + buf, 1, WDR_TIMEOUT); +- if (rv < 0) ++ if (rv < 1) { + dev_err(&port->dev, "Unable to read latency timer: %i\n", rv); +- else ++ if (rv >= 0) ++ rv = -EIO; ++ } else { + priv->latency = buf[0]; ++ } + + kfree(buf); + diff --git a/queue-3.18/usb-serial-io_edgeport-fix-descriptor-error-handling.patch b/queue-3.18/usb-serial-io_edgeport-fix-descriptor-error-handling.patch new file mode 100644 index 00000000000..03784a75161 --- /dev/null +++ b/queue-3.18/usb-serial-io_edgeport-fix-descriptor-error-handling.patch @@ -0,0 +1,83 @@ +From 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:14 +0100 +Subject: USB: serial: io_edgeport: fix descriptor error handling + +From: Johan Hovold + +commit 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 upstream. + +Make sure to detect short control-message transfers and log an error +when reading incomplete manufacturer and boot descriptors. + +Note that the default all-zero descriptors will now be used after a +short transfer is detected instead of partially initialised ones. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_edgeport.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2109,8 +2109,7 @@ static int rom_write(struct usb_serial * + * rom_read + * reads a number of bytes from the Edgeport device starting at the given + * address. +- * If successful returns the number of bytes read, otherwise it returns +- * a negative error number of the problem. ++ * Returns zero on success or a negative error number. + ****************************************************************************/ + static int rom_read(struct usb_serial *serial, __u16 extAddr, + __u16 addr, __u16 length, __u8 *data) +@@ -2135,12 +2134,17 @@ static int rom_read(struct usb_serial *s + USB_REQUEST_ION_READ_ROM, + 0xC0, addr, extAddr, transfer_buffer, + current_length, 300); +- if (result < 0) ++ if (result < current_length) { ++ if (result >= 0) ++ result = -EIO; + break; ++ } + memcpy(data, transfer_buffer, current_length); + length -= current_length; + addr += current_length; + data += current_length; ++ ++ result = 0; + } + + kfree(transfer_buffer); +@@ -2597,9 +2601,10 @@ static void get_manufacturing_desc(struc + EDGE_MANUF_DESC_LEN, + (__u8 *)(&edge_serial->manuf_descriptor)); + +- if (response < 1) +- dev_err(dev, "error in getting manufacturer descriptor\n"); +- else { ++ if (response < 0) { ++ dev_err(dev, "error in getting manufacturer descriptor: %d\n", ++ response); ++ } else { + char string[30]; + dev_dbg(dev, "**Manufacturer Descriptor\n"); + dev_dbg(dev, " RomSize: %dK\n", +@@ -2656,9 +2661,10 @@ static void get_boot_desc(struct edgepor + EDGE_BOOT_DESC_LEN, + (__u8 *)(&edge_serial->boot_descriptor)); + +- if (response < 1) +- dev_err(dev, "error in getting boot descriptor\n"); +- else { ++ if (response < 0) { ++ dev_err(dev, "error in getting boot descriptor: %d\n", ++ response); ++ } else { + dev_dbg(dev, "**Boot Descriptor:\n"); + dev_dbg(dev, " BootCodeLength: %d\n", + le16_to_cpu(edge_serial->boot_descriptor.BootCodeLength)); diff --git a/queue-3.18/usb-serial-io_edgeport-fix-epic-descriptor-handling.patch b/queue-3.18/usb-serial-io_edgeport-fix-epic-descriptor-handling.patch new file mode 100644 index 00000000000..beb82db7b50 --- /dev/null +++ b/queue-3.18/usb-serial-io_edgeport-fix-epic-descriptor-handling.patch @@ -0,0 +1,79 @@ +From e4457d9798adb96272468e93da663de9bd0a4198 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:13 +0100 +Subject: USB: serial: io_edgeport: fix epic-descriptor handling + +From: Johan Hovold + +commit e4457d9798adb96272468e93da663de9bd0a4198 upstream. + +Use a dedicated buffer for the DMA transfer and make sure to detect +short transfers to avoid parsing a corrupt descriptor. + +Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_edgeport.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -492,20 +492,24 @@ static int get_epic_descriptor(struct ed + int result; + struct usb_serial *serial = ep->serial; + struct edgeport_product_info *product_info = &ep->product_info; +- struct edge_compatibility_descriptor *epic = &ep->epic_descriptor; ++ struct edge_compatibility_descriptor *epic; + struct edge_compatibility_bits *bits; + struct device *dev = &serial->dev->dev; + + ep->is_epic = 0; ++ ++ epic = kmalloc(sizeof(*epic), GFP_KERNEL); ++ if (!epic) ++ return -ENOMEM; ++ + result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), + USB_REQUEST_ION_GET_EPIC_DESC, + 0xC0, 0x00, 0x00, +- &ep->epic_descriptor, +- sizeof(struct edge_compatibility_descriptor), ++ epic, sizeof(*epic), + 300); +- +- if (result > 0) { ++ if (result == sizeof(*epic)) { + ep->is_epic = 1; ++ memcpy(&ep->epic_descriptor, epic, sizeof(*epic)); + memset(product_info, 0, sizeof(struct edgeport_product_info)); + + product_info->NumPorts = epic->NumPorts; +@@ -534,8 +538,16 @@ static int get_epic_descriptor(struct ed + dev_dbg(dev, " IOSPWriteLCR : %s\n", bits->IOSPWriteLCR ? "TRUE": "FALSE"); + dev_dbg(dev, " IOSPSetBaudRate : %s\n", bits->IOSPSetBaudRate ? "TRUE": "FALSE"); + dev_dbg(dev, " TrueEdgeport : %s\n", bits->TrueEdgeport ? "TRUE": "FALSE"); ++ ++ result = 0; ++ } else if (result >= 0) { ++ dev_warn(&serial->interface->dev, "short epic descriptor received: %d\n", ++ result); ++ result = -EIO; + } + ++ kfree(epic); ++ + return result; + } + +@@ -2784,7 +2796,7 @@ static int edge_startup(struct usb_seria + dev_info(&serial->dev->dev, "%s detected\n", edge_serial->name); + + /* Read the epic descriptor */ +- if (get_epic_descriptor(edge_serial) <= 0) { ++ if (get_epic_descriptor(edge_serial) < 0) { + /* memcpy descriptor to Supports structures */ + memcpy(&edge_serial->epic_descriptor.Supports, descriptor, + sizeof(struct edge_compatibility_bits)); diff --git a/queue-3.18/usb-serial-keyspan_pda-fix-receive-sanity-checks.patch b/queue-3.18/usb-serial-keyspan_pda-fix-receive-sanity-checks.patch new file mode 100644 index 00000000000..6c3124e70be --- /dev/null +++ b/queue-3.18/usb-serial-keyspan_pda-fix-receive-sanity-checks.patch @@ -0,0 +1,63 @@ +From c528fcb116e61afc379a2e0a0f70906b937f1e2c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 31 Jan 2017 17:17:29 +0100 +Subject: USB: serial: keyspan_pda: fix receive sanity checks + +From: Johan Hovold + +commit c528fcb116e61afc379a2e0a0f70906b937f1e2c upstream. + +Make sure to check for short transfers before parsing the receive buffer +to avoid acting on stale data. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -139,6 +139,7 @@ static void keyspan_pda_rx_interrupt(str + { + struct usb_serial_port *port = urb->context; + unsigned char *data = urb->transfer_buffer; ++ unsigned int len = urb->actual_length; + int retval; + int status = urb->status; + struct keyspan_pda_private *priv; +@@ -159,18 +160,26 @@ static void keyspan_pda_rx_interrupt(str + goto exit; + } + ++ if (len < 1) { ++ dev_warn(&port->dev, "short message received\n"); ++ goto exit; ++ } ++ + /* see if the message is data or a status interrupt */ + switch (data[0]) { + case 0: + /* rest of message is rx data */ +- if (urb->actual_length) { +- tty_insert_flip_string(&port->port, data + 1, +- urb->actual_length - 1); +- tty_flip_buffer_push(&port->port); +- } ++ if (len < 2) ++ break; ++ tty_insert_flip_string(&port->port, data + 1, len - 1); ++ tty_flip_buffer_push(&port->port); + break; + case 1: + /* status interrupt */ ++ if (len < 3) { ++ dev_warn(&port->dev, "short interrupt message received\n"); ++ break; ++ } + dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]); + switch (data[1]) { + case 1: /* modemline change */ diff --git a/queue-3.18/usb-serial-mct_u232-fix-modem-status-error-handling.patch b/queue-3.18/usb-serial-mct_u232-fix-modem-status-error-handling.patch new file mode 100644 index 00000000000..9cd4de3191b --- /dev/null +++ b/queue-3.18/usb-serial-mct_u232-fix-modem-status-error-handling.patch @@ -0,0 +1,41 @@ +From 36356a669eddb32917fc4b5c2b9b8bf80ede69de Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:16 +0100 +Subject: USB: serial: mct_u232: fix modem-status error handling + +From: Johan Hovold + +commit 36356a669eddb32917fc4b5c2b9b8bf80ede69de upstream. + +Make sure to detect short control-message transfers so that errors are +logged when reading the modem status at open. + +Note that while this also avoids initialising the modem status using +uninitialised heap data, these bits could not leak to user space as they +are currently not used. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mct_u232.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -322,8 +322,12 @@ static int mct_u232_get_modem_stat(struc + MCT_U232_GET_REQUEST_TYPE, + 0, 0, buf, MCT_U232_GET_MODEM_STAT_SIZE, + WDR_TIMEOUT); +- if (rc < 0) { ++ if (rc < MCT_U232_GET_MODEM_STAT_SIZE) { + dev_err(&port->dev, "Get MODEM STATus failed (error = %d)\n", rc); ++ ++ if (rc >= 0) ++ rc = -EIO; ++ + *msr = 0; + } else { + *msr = buf[0]; diff --git a/queue-3.18/usb-serial-quatech2-fix-control-message-error-handling.patch b/queue-3.18/usb-serial-quatech2-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..3426272bdea --- /dev/null +++ b/queue-3.18/usb-serial-quatech2-fix-control-message-error-handling.patch @@ -0,0 +1,75 @@ +From 8c34cb8ddfe808d557b51da983ff10c02793beb2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:20 +0100 +Subject: USB: serial: quatech2: fix control-message error handling + +From: Johan Hovold + +commit 8c34cb8ddfe808d557b51da983ff10c02793beb2 upstream. + +Make sure to detect short control-message transfers when fetching +modem and line state in open and when retrieving registers. + +This specifically makes sure that an errno is returned to user space on +errors in TIOCMGET instead of a zero bitmask. + +Also drop the unused getdevice function which also lacked appropriate +error handling. + +Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/quatech2.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -188,22 +188,22 @@ static inline int qt2_setdevice(struct u + } + + +-static inline int qt2_getdevice(struct usb_device *dev, u8 *data) +-{ +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_DEVICE, 0xc0, 0, 0, +- data, 3, QT2_USB_TIMEOUT); +-} +- + static inline int qt2_getregister(struct usb_device *dev, + u8 uart, + u8 reg, + u8 *data) + { +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_REGISTER, 0xc0, reg, +- uart, data, sizeof(*data), QT2_USB_TIMEOUT); ++ int ret; + ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ++ QT_SET_GET_REGISTER, 0xc0, reg, ++ uart, data, sizeof(*data), QT2_USB_TIMEOUT); ++ if (ret < sizeof(*data)) { ++ if (ret >= 0) ++ ret = -EIO; ++ } ++ ++ return ret; + } + + static inline int qt2_setregister(struct usb_device *dev, +@@ -372,9 +372,11 @@ static int qt2_open(struct tty_struct *t + 0xc0, 0, + device_port, data, 2, QT2_USB_TIMEOUT); + +- if (status < 0) { ++ if (status < 2) { + dev_err(&port->dev, "%s - open port failed %i\n", __func__, + status); ++ if (status >= 0) ++ status = -EIO; + kfree(data); + return status; + } diff --git a/queue-3.18/usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch b/queue-3.18/usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch new file mode 100644 index 00000000000..c24be33e0d5 --- /dev/null +++ b/queue-3.18/usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch @@ -0,0 +1,91 @@ +From 16620b483eaf7750413bae472f4363b6b959fcaa Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Feb 2017 16:28:14 +0100 +Subject: USB: serial: sierra: fix bogus alternate-setting assumption + +From: Johan Hovold + +commit 16620b483eaf7750413bae472f4363b6b959fcaa upstream. + +Interface numbers do not change when enabling alternate settings as +comment and code in this driver suggested. + +Remove the confusing comment and redundant retrieval of the interface +number in probe, while simplifying and renaming the interface-number +helper. + +Fixes: 4db2299da213 ("sierra: driver interface blacklisting") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/sierra.c | 28 +++++----------------------- + 1 file changed, 5 insertions(+), 23 deletions(-) + +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -137,24 +137,9 @@ static int is_himemory(const u8 ifnum, + return 0; + } + +-static int sierra_calc_interface(struct usb_serial *serial) ++static u8 sierra_interface_num(struct usb_serial *serial) + { +- int interface; +- struct usb_interface *p_interface; +- struct usb_host_interface *p_host_interface; +- +- /* Get the interface structure pointer from the serial struct */ +- p_interface = serial->interface; +- +- /* Get a pointer to the host interface structure */ +- p_host_interface = p_interface->cur_altsetting; +- +- /* read the interface descriptor for this active altsetting +- * to find out the interface number we are on +- */ +- interface = p_host_interface->desc.bInterfaceNumber; +- +- return interface; ++ return serial->interface->cur_altsetting->desc.bInterfaceNumber; + } + + static int sierra_probe(struct usb_serial *serial, +@@ -165,7 +150,7 @@ static int sierra_probe(struct usb_seria + u8 ifnum; + + udev = serial->dev; +- ifnum = sierra_calc_interface(serial); ++ ifnum = sierra_interface_num(serial); + + /* + * If this interface supports more than 1 alternate +@@ -178,9 +163,6 @@ static int sierra_probe(struct usb_seria + usb_set_interface(udev, ifnum, 1); + } + +- /* ifnum could have changed - by calling usb_set_interface */ +- ifnum = sierra_calc_interface(serial); +- + if (is_blacklisted(ifnum, + (struct sierra_iface_info *)id->driver_info)) { + dev_dbg(&serial->dev->dev, +@@ -342,7 +324,7 @@ static int sierra_send_setup(struct usb_ + + /* If composite device then properly report interface */ + if (serial->num_ports == 1) { +- interface = sierra_calc_interface(serial); ++ interface = sierra_interface_num(serial); + /* Control message is sent only to interfaces with + * interrupt_in endpoints + */ +@@ -916,7 +898,7 @@ static int sierra_port_probe(struct usb_ + /* Determine actual memory requirements */ + if (serial->num_ports == 1) { + /* Get interface number for composite device */ +- ifnum = sierra_calc_interface(serial); ++ ifnum = sierra_interface_num(serial); + himemoryp = &typeB_interface_list; + } else { + /* This is really the usb-serial port number of the interface diff --git a/queue-3.18/usb-serial-ssu100-fix-control-message-error-handling.patch b/queue-3.18/usb-serial-ssu100-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..251e6e4da89 --- /dev/null +++ b/queue-3.18/usb-serial-ssu100-fix-control-message-error-handling.patch @@ -0,0 +1,78 @@ +From 1eac5c244f705182d1552a53e2f74e2775ed95d6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:22 +0100 +Subject: USB: serial: ssu100: fix control-message error handling + +From: Johan Hovold + +commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream. + +Make sure to detect short control-message transfers rather than continue +with zero-initialised data when retrieving modem status and during +device initialisation. + +Fixes: 52af95459939 ("USB: add USB serial ssu100 driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ssu100.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +--- a/drivers/usb/serial/ssu100.c ++++ b/drivers/usb/serial/ssu100.c +@@ -80,9 +80,17 @@ static inline int ssu100_setdevice(struc + + static inline int ssu100_getdevice(struct usb_device *dev, u8 *data) + { +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_DEVICE, 0xc0, 0, 0, +- data, 3, 300); ++ int ret; ++ ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ++ QT_SET_GET_DEVICE, 0xc0, 0, 0, ++ data, 3, 300); ++ if (ret < 3) { ++ if (ret >= 0) ++ ret = -EIO; ++ } ++ ++ return ret; + } + + static inline int ssu100_getregister(struct usb_device *dev, +@@ -90,10 +98,17 @@ static inline int ssu100_getregister(str + unsigned short reg, + u8 *data) + { +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_REGISTER, 0xc0, reg, +- uart, data, sizeof(*data), 300); ++ int ret; + ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ++ QT_SET_GET_REGISTER, 0xc0, reg, ++ uart, data, sizeof(*data), 300); ++ if (ret < sizeof(*data)) { ++ if (ret >= 0) ++ ret = -EIO; ++ } ++ ++ return ret; + } + + +@@ -289,8 +304,10 @@ static int ssu100_open(struct tty_struct + QT_OPEN_CLOSE_CHANNEL, + QT_TRANSFER_IN, 0x01, + 0, data, 2, 300); +- if (result < 0) { ++ if (result < 2) { + dev_dbg(&port->dev, "%s - open failed %i\n", __func__, result); ++ if (result >= 0) ++ result = -EIO; + kfree(data); + return result; + } diff --git a/queue-3.18/usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch b/queue-3.18/usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..e40accb539e --- /dev/null +++ b/queue-3.18/usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch @@ -0,0 +1,55 @@ +From 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:23 +0100 +Subject: USB: serial: ti_usb_3410_5052: fix control-message error handling + +From: Johan Hovold + +commit 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 upstream. + +Make sure to detect and return an error on zero-length control-message +transfers when reading from the device. + +This addresses a potential failure to detect an empty transmit buffer +during close. + +Also remove a redundant check for short transfer when sending a command. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ti_usb_3410_5052.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -1343,13 +1343,10 @@ static int ti_command_out_sync(struct ti + (USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT), + value, moduleid, data, size, 1000); + +- if (status == size) +- status = 0; +- +- if (status > 0) +- status = -ECOMM; ++ if (status < 0) ++ return status; + +- return status; ++ return 0; + } + + +@@ -1365,8 +1362,7 @@ static int ti_command_in_sync(struct ti_ + + if (status == size) + status = 0; +- +- if (status > 0) ++ else if (status >= 0) + status = -ECOMM; + + return status; diff --git a/queue-3.18/x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch b/queue-3.18/x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch new file mode 100644 index 00000000000..7344d804dbd --- /dev/null +++ b/queue-3.18/x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch @@ -0,0 +1,48 @@ +From 68dee8e2f2cacc54d038394e70d22411dee89da2 Mon Sep 17 00:00:00 2001 +From: Nikola Pajkovsky +Date: Tue, 15 Nov 2016 09:47:49 +0100 +Subject: x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nikola Pajkovsky + +commit 68dee8e2f2cacc54d038394e70d22411dee89da2 upstream. + +commit 8fd524b355da ("x86: Kill bad_dma_address variable") has killed +bad_dma_address variable and used instead of macro DMA_ERROR_CODE +which is always zero. Since dma_addr is unsigned, the statement + + dma_addr >= DMA_ERROR_CODE + +is always true, and not needed. + +arch/x86/kernel/pci-calgary_64.c: In function ‘iommu_free’: +arch/x86/kernel/pci-calgary_64.c:299:2: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] + if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) { + +Fixes: 8fd524b355da ("x86: Kill bad_dma_address variable") +Signed-off-by: Nikola Pajkovsky +Cc: iommu@lists.linux-foundation.org +Cc: Jon Mason +Cc: Muli Ben-Yehuda +Link: http://lkml.kernel.org/r/7612c0f9dd7c1290407dbf8e809def922006920b.1479161177.git.npajkovsky@suse.cz +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/pci-calgary_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/pci-calgary_64.c ++++ b/arch/x86/kernel/pci-calgary_64.c +@@ -296,7 +296,7 @@ static void iommu_free(struct iommu_tabl + + /* were we called with bad_dma_address? */ + badend = DMA_ERROR_CODE + (EMERGENCY_PAGES * PAGE_SIZE); +- if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) { ++ if (unlikely(dma_addr < badend)) { + WARN(1, KERN_ERR "Calgary: driver tried unmapping bad DMA " + "address 0x%Lx\n", dma_addr); + return; diff --git a/queue-3.18/x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch b/queue-3.18/x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch new file mode 100644 index 00000000000..04b17074c53 --- /dev/null +++ b/queue-3.18/x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch @@ -0,0 +1,44 @@ +From 80354c29025833acd72ddac1ffa21c6cb50128cd Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Sun, 12 Mar 2017 17:07:44 +0200 +Subject: x86/platform/intel-mid: Correct MSI IRQ line for watchdog device + +From: Andy Shevchenko + +commit 80354c29025833acd72ddac1ffa21c6cb50128cd upstream. + +The interrupt line used for the watchdog is 12, according to the official +Intel Edison BSP code. + +And indeed after fixing it we start getting an interrupt and thus the +watchdog starts working again: + + [ 191.699951] Kernel panic - not syncing: Kernel Watchdog + +Signed-off-by: Andy Shevchenko +Cc: Borislav Petkov +Cc: David Cohen +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 78a3bb9e408b ("x86: intel-mid: add watchdog platform code for Merrifield") +Link: http://lkml.kernel.org/r/20170312150744.45493-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/intel-mid/device_libs/platform_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/platform/intel-mid/device_libs/platform_wdt.c ++++ b/arch/x86/platform/intel-mid/device_libs/platform_wdt.c +@@ -17,7 +17,7 @@ + #include + #include + +-#define TANGIER_EXT_TIMER0_MSI 15 ++#define TANGIER_EXT_TIMER0_MSI 12 + + static struct platform_device wdt_dev = { + .name = "intel_mid_wdt",